Security analysis of SIMD

Authors:
Charles Bouillaguet;Pierre-Alain Fouque;Gaëtan Leurent
Affiliations:
École Normale Supérieure, Département d'Informatique, Paris Cedex 05, France;École Normale Supérieure, Département d'Informatique, Paris Cedex 05, France;École Normale Supérieure, Département d'Informatique, Paris Cedex 05, France
Venue:
SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Year:
2010

Citing 8
Cited 1

Differential Collisions in SHA-0

CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Inside the Hypercube

ACISP '09 Proceedings of the 14th Australasian Conference on Information Security and Privacy
Related-Key Cryptanalysis of the Full AES-192 and AES-256

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Provably good codes for hash function design

SAC'06 Proceedings of the 13th international conference on Selected areas in cryptography
Another look at complementation properties

FSE'10 Proceedings of the 17th international conference on Fast software encryption
Finding collisions in the full SHA-1

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Merkle-Damgård revisited: how to construct a hash function

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Cryptanalysis of the hash functions MD4 and RIPEMD

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques

Differential and linear cryptanalysis using mixed-integer linear programming

Inscrypt'11 Proceedings of the 7th international conference on Information Security and Cryptology

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper provides three important contributions to the security analysis of SIMD. First, we show a new free-start distinguisher based on symmetry relations. It allows to distinguish the compression function of SIMD from a random function with a single evaluation. Then, we show that a class of free-start distinguishers is not a threat to wide-pipe hash functions. In particular, this means that our distinguisher has a minimal impact on the security of the SIMD hash function. Intuitively, the reason why this distinguisher does not weaken the function is that getting into a symmetric state is about as hard as finding a preimage. Finally, we study differential path in SIMD, and give an upper bound on the probability of related key differential paths. Our bound is in the order of 2-n/2 using very weak assumptions.